E-Z Pass is an American company that allows people to electronically pay tolls without having to carry change or come to a stop at toll booths. Instead, you have a device that you attach to the inside ...

I am creating a platform which is based on REST APIs. My platform has apps and web both.
I don't want to make my APIs public and want that my APIs can be used by my own clients (app and web) only.
I ...

I know how public key cryptography works; (very) simplified:
Alice takes Bob's public key and sends an encrypted message with said key and sends it to Bob.
Bob and only Bob can decrypt the message, ...

Why even have a redirect or even use the browser? Wouldn't just a normal TLS/HTTPS request/response in the app protect the requests and token?
The one argument I have heard against solely relying on ...

Today I was exploring a website used for keeping track of student grades and everything related to school. Basically like a school progress tracker for your child which is used by 90% of schools in my ...

I am trying to get involved with the Biometric Authentication community but I seem to be having difficulties finding where exactly it congregates.
I understand things may still be fragmented between ...

I'm confused about something in the SAML 2.0 flow. When the initial access to the service provider is made, the service provider must first validate that the user indeed has access and so the service ...

Today when I logged in Facebook, no 2FA was shown.
I have been using SMS message as the second authentication factor. When I looked at the security settings, 2FA seemed to be disabled. I immediately ...

Most websites (that I have seen) that implement two factor authentication don't support multiple two factor authentication devices linked to one account.
The biggest reasons I can think of for that ...

I understand why one shouldn't store the contents of the JWT token client-side but what about just storing the token expiration time?
I'm using the auth0 authentication service in my app and I'd like ...

I've been building a product using AWS CloudHSM and things are working well in the POC.
Now I want move to production, I've realised that there will be a need to authenticate with the HSM in order to ...

When connecting to a server for the first time, ssh usually requires users to check server's fingerprint and then caches the info. This is needed in order to prevent MiTM.
Is it a design flaw in SSH ...

I am trying to create an authentication header algorithm that can be used for authentication on HTTP server.
Not sure it is good but it seems OK to me. I also used similar approaches for previous WS ...

I'm testing a web application which uses SAML SSO. SAML Response has signature and it is verified correctly if data is tampered. But I noticed that when signature is removed completely authentication ...

Will using WebAuthn for an application make it two factor? I am specifically interested in using Ondevice biometrics and achieve passwordless authentication.
For a true two factor authentication you ...

For a lot of web services offering two factor authentication, after setting up the system, you are given a short list of backup codes (one-time pads) that are around 7-10 characters long. These are ...

I guess this could also be phrased as JWT vs. Basic Auth, similar idea?
Passing a token for each API request seems to be the more common and recommended approach, and I have the gut feeling that it ...

In my system, a new user must confirm his email.
But there is an edge case:
he registers
does not confirm
forgets password, performs password reset (which involves a mail loop)
At that point I know ...

I own a web application (single page application with Angular), that asks for some data through a set of REST APIs based on my server-side application (using Play Framework 2.2.1).
So basically, I'm ...

I think I have a high level understanding of what a JWT is and how it works.
I would now like to apply it to a use case, namely that the token would be used for authentication purposes, and passing ...

I have often thought about the fact that when intimate relationship partners live together they eventually tend to sneak over your shoulder and gain access to your password on either your mobile phone ...

What are some methods for preventing account enumeration on login when accounts have optional two factor authentication?
Without two factor authentication we would just return the same response for ...

In our web application project we are required to establish MF authentication with combination of memorised secret token (password) and Out of Bound token. Earlier we were planning to implement SMS ...

CyberArk integration with Rapid7 enables Rapid7 easily to run credentialed sans and dynamically assign credentials for authentication for multiples assets.
Looking up credentials in the CyberArk Vault ...

Suppose TLS is used and a session ID was negotiated using standard HTTP mechanisms. With the websocket opening handshake, this session ID is also transferred in the HTTP header.
Suppose the websocket ...